Once an institution has implemented an information security management system pursuant to ISO 27001 on the basis of IT-Grundschutz and all relevant documents are available, it may instruct an auditor to independently audit the IT domain and its security structure using the available audit scheme. The auditor documents his audit outcomes in an audit report which serves as the basis for an ISO 27001 certificate pursuant to IT-Grundschutz in conjunction with the application for certification made to the certification authority.
The audit essentially consists of two phases: a documentary audit and an implementation audit on site. The audit outcomes are analysed and evaluated by the BSI’s certification authority. Where an organisation’s aptitude is demonstrated by a regulated certification audit, the BSI’s certification authority issues a certificate in accordance with ISO 27001 on the basis of IT-Grundschutz that is valid for three years but which needs to pass a monitoring audit. After three years the certificate can be extended for a further three years after a re-certification audit.
INFODAS GmbH has ISO 27001 (lead) auditors available who are experienced in ISO 27001 audits on the basis of IT-Grundschutz and native. INFODAS GmbH was able to demonstrate its effectiveness in this regard for instance by performing the first two certification audits of this type as soon as the audit scheme was introduced in spring 2006. Overall eleven ISO 27001 certifications have been performed on the basis of IT-Grundschutz and others are in the process of being performed or have been requested.